One of the main selling points of IPv6, according to the early IPv6 evangelists, was that it had better security than IPv4, supposedly because IPv6 includes mandatory support for end-to-end encryption with IPsec (Internet Protocol Security). But that’s just a myth, because IPv4 supports IPsec as well.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

We need to move past the IPv6 security myths and consider the hard practical questions: How secure is IPv6 compared to IPv4?

Ivan Pepelnjak, NIL Data Communications

You can be IPv6-compliant without implementing any of the IPsec encryption algorithms, and the key distribution (or remote endpoint authentication) problems remain as difficult as ever.

To understand IPv6 security issues, we need to move past the IPv6 security myths and consider the hard practical questions: How secure is IPv6 compared to IPv4? (After all, the last IPv4 blocks allocated by the Internet Assigned Numbers Authority (IANA) could be gone in days).

The IPv4 and IPv6 protocols are very similar architecturally. IPv6 is really just IPv4 with longer addresses, revamped and more complex headers, and a few extra protocols (the Address Resolution Protocol, or ARP, has been replaced by ICMPNeighbor Discovery, for example).

The security mechanisms we’ll use in the IPv6 world are almost the same as the ones we’re using in IPv4, which include:

IPv6 doesn’t change anything above the network layer. TCP and UDP haven’t been changed, and the protocols run over IPv6 as well as they did over IPv4. The only major difference is the glue between network and transport layer:

All of the discussion above leads us to the fact that the differences in IPv4 and IPv6 security are mostly implementation-dependent, and we can expect IPv6 to be less secure than IPv4 initially.

Here are some of the main IPv6 security issues that require awareness as IPv6 is deployed.

IPv6 protocol stacks in end-hosts and network devices haven’t been as thoroughly tested (and exposed to hackers) as their IPv4 counterparts. Expect flaws to be uncovered (probably including a few zero-day attacks that exploit vulnerabilities unknown to developers) as IPv6 gains wider acceptance.

Network and security engineers lack IPv6 exposure and operational experience, so expect deployment hiccups and occasional security lapses, though that happens with every new technology.

IPv6-related intrusions and other security incidents will happen due to the unintentional connectivity to protected parts of enterprise networks because of various IPv6-over-IPv4 tunneling mechanisms. There are numerous ways to get yourself connected to the IPv6 world through an IPv4 infrastructure, and public (sometimes even free) tunnel brokers allow you to get IPv6 connectivity in a matter of minutes. Unless your firewalls implement very strict security policies, some of your more audacious users might be able to establish IPv6-over-IPv4 tunnels and unknowingly expose their workstations, or even whole subnets, to the outside world.

Last but definitely not least, IPv6 implementations from networking vendors still lack some first-hop security features needed to make IPv6 networks as secure as today’s IPv4 networks. Similar to the IPv4 world, numerous well-known first-hop attacks are available to hackers trying to break into IPv6 networks:

Cisco has implemented the RA Guard feature to protect router advertisements on switched networks, and some vendors allow you to implement Secure Neighbor Discovery (SEND), which adds cryptographic measures simpler than full-blown IPsec to protect the ND mechanism. None of these tools approaches the simplicity we had with ARP inspection and DHCP snooping in the IPv4 world, however.

Until equipment vendors fill in the gaps and offer true feature parity between IPv4 and IPv6 security features, we can expect the IPv6 networks to be less secure that today’s IPv4 networks -- not because IPv6 is insecure, but because today’s IPv6 implementations still lag behind their IPv4 counterparts.

About the author: Ivan Pepelnjak, CCIE No. 1354, is a 25-year veteran of the networking industry. He has more than 10 years of experience in designing, installing, troubleshooting and operating large service provider and enterprise WAN and LAN networks and is currently chief technology advisor atNIL Data Communications, focusing on advanced IP-based networks and Web technologies. His books include MPLS and VPN Architectures and EIGRP Network Design. Check out hisIOS Hints blog, and ask him your IPv6 questions at SearchTelecom.com'sAsk the Expert.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy